1. Field of the Invention
The present specification relates generally to security of communication systems, and in particular, but not exclusively, to preventing third parties from using resources of a user.
2. Description of the Related Art
A communication system may be seen as a facility that enables communication between two or more entities such as, but not limited to, user equipment and/or other nodes associated with the system. The communication may include, for example, communication of voice, data, multimedia and so on.
In a basic communication system, a simple communication network is typically provided for linking together two or more nodes so that the nodes can communicate with each other. The communication may occur during a communication session. At least some set-up signaling is typically required in order to set-up a communication session. Communication between the user equipment and/or the entities of the communication network and/or the set-up signaling may be based on an appropriate communication protocol or protocols.
The communication may be provided by a fixed line and/or wireless communication interfaces. A feature of many wireless communication systems is that they provide mobility for the users thereof. A non-limiting example of a communication system providing wireless communication is a public land mobile network (PLMN) and another non-limiting example is a wireless local area network (WLAN). A non-limiting example of the fixed line system is a public switched telephone network (PSTN).
A communication system typically operates in accordance with a given standard and/or specification which usually sets out what the various elements of a system are permitted to do and how that should be achieved. For example, the standard or specification may define if the user or, more precisely, user equipment, is provided with a circuit switched service or a packet switched service or both. Communication protocols and/or parameters which may be used for the connection are also typically defined. For example, the manner in which communication may be implemented between the user equipment and the elements of the communication networks is typically based on a predefined communication protocol. In other words, a specific set of “rules” on which the communication may be based, in many cases, is preferably defined to enable the user equipment to communicate via the communication system.
The term “service” used above and hereinafter will generally be understood to broadly cover any service and/or goods which a user may desire, require and/or be provided with. The term also may be understood to cover the provision of complimentary services. In particular, but not exclusively, the term “service” will generally be understood to include services provided over an Internet protocol networks, conferencing, telephony, gaming, rich call, presence, e-commerce and messaging, for example, instant messaging.
In a mobile communication system, the users are typically connected to the communication system by radio access entities and/or similar wireless service areas. The access entities are typically referred to as cells. Various user equipment (LE) such as, but not limited to, fixed or portable computers, mobile telephones, personal data assistants or organizers and so on are known to the skilled person and may be used to access the Internet to obtain services via a mobile communication system. Mobile user equipment is often referred to as a mobile station (MS) and may be defined as a means that is capable of communication via a wireless interface with another device such as, but not limited to, a base station of a mobile telecommunication network or any other station. Each mobile user equipment may typically be identified based on a unique identifier, for example, based on the International Mobile Subscriber Identity (IMSI).
Generally, the introduction of Third Generation (3G) communication systems has significantly increased the possibilities for accessing various services on the Internet via mobile user equipment, as well as via other types of user equipment. The third generation systems may be implemented based on, for example, the standards for the GPRS (General Packet Radio Service), WCDMA (Wideband Code Division Multiple Access), TDMA/CDMA (Time Division Multiple Access/Code Division Multiple Access) in UMTS (Universal Mobile Telecommunications System), CDMA 2000, I-Phone and so on.
The 3G Partnership Project (3GPP) has defined a reference architecture for a typical core network which generally provides the users of user equipment with access to services provided via the data communication system. The core network may be based on the use of the general packet radio service (GPRS). The GPRS operation environment commonly includes one or more subnetwork service areas, which are usually interconnected by a GPRS backbone network. A subnetwork typically includes a number of packet data service nodes (SN) which, in this application, will generally be referred to as serving GPRS support nodes (SGSN), each of which is normally connected to the mobile communication network, typically to base station systems by way of radio network controllers (RNC), in such a way that it may provide a packet service for mobile user equipment via several base stations, in other words, cells. The intermediate mobile communication network commonly provides packet-switched data transmission between a support node and mobile data terminals. Different subnetworks are usually, in turn, connected to an external data network, for example, to a public switched data network PSPDN, via GPRS gateway support nodes GGSN. An example of the external data networks is the Internet Protocol (IP) Internet. The GPRS services thus generally allows for packet data transmission between mobile user equipment and external data networks, especially when the cellular network functions as an access network.
In a GPRS network, the mobile user equipment may send a message requesting activation of a packet data protocol (PDP) context in the network. A Serving GPRS support node SGSN typically authenticates the mobile user and usually sends a PDP context creation request to a gateway node GGSN, commonly selected according to a GGSN address stored in the subscriber data and/or according to the access point name given by the user equipment, or to a default GGSN known by the SGSN.
In such a network, a packet data protocol (PDP) context is normally established to carry traffic flows over the network, each PDP context typically including a radio bearer provided between the user equipment and the radio network controller, a radio access bearer provided between the user equipment, the radio network controller and/or the SGSN, and/or switched packet data channels generally provided between the serving GPRS service node and the gateway GPRS service node. Each PDP context may carry more than one traffic flow, but all traffic flows within one particular PDP context are usually treated the same way, at least as regards their transmission across the network. The PDP context treatment requirement is normally based on PDP context treatment attributes associated with the traffic flows, for example, quality of service and/or charging attributes.
The 3GPP communication systems commonly provide sophisticated communication services and/or increased and/or more flexible data transmission capabilities. These improved features may be expected to increase the user friendliness thereof and/or the variety of services available through the mobile communications. However, at the same time, the networks generally become more vulnerable to attacks by malicious users who may try to use the networks for gaining financial and/or other advantage and/or for causing intentional or unintentional damage. Such a malicious user is sometimes referred to by the term “hacker”.
There are different possible types of attacks. For example, ‘Denial-of-service’ attacks normally attempt to prevent the victim from providing and/or receiving a service by crashing and/or overwhelming the service. Exploitation attack is another type which typically attempts to take direct control of a machine. The most common is the ‘Trojan horse’. A recently discovered type of attack is generally where subscribers to a 3GPP network may become the target of a malicious activity wherein the hacker aims to take benefit of the subscriber accounts. This type of attack is sometimes referred to as ‘over-billing attack’. In this attack the hacker may flood one or a number of arbitrary victims, usually by setting up transmission control protocol (TCP) connections to a server in the Internet which is also commonly controlled by the hacker. The hacker may set up the connection to the Internet from a user equipment connected to a radio access network via networks elements such as, but not limited to, SGSN and/or GGSN and/or a GPRS backbone network.
When the user equipment of the hacker activates the GPRS connection, the PDP context is typically assigned an Internet Protocol (IP) address. A TCP connection may then be opened between the user equipment and the server, both normally controlled by the hacker. The GGSN generally maintains a record wherein the identity of the user equipment is usually linked with the IP address assigned for the user equipment.
When the hacker deactivates the PDP context from his user equipment, he commonly leaves the connection from the server open. The server then typically starts sending acknowledgement packets back to the user equipment. However, at this stage, the user equipment of the hacker has normally already deactivated the PDP context. As a result, the GGSN usually starts dropping the acknowledgement packets from the server and generally clears the record linking the identity of the hacker's user equipment and the IP address.
If a victim user equipment now activates a PDP context with the same GGSN, the GGSN may assign the IP address that was previously assigned for the hacker's user equipment to this user equipment and will typically then start routing the acknowledgement packets from the server to the victim's user equipment. The victim user equipment commonly receives the acknowledgements, but may not react to them. The victim may become liable for the charges for those received packets, even though the victim has not requested them.
Conventionally, the mobile operators have tried to protect the user equipment from different types of attacks by deploying stateful firewalls in the networks, generally for filtering any unwanted connection attempts. When a trusted internal host connects to a transmission control protocol (TCP) socket on another host, a stateful packet inspection filter that normally protects the network usually creates a state. Upon receiving the first message packet to open and establish a TCP connection, in other words, the TCP ‘SYN’ message, the firewall typically makes an entry in its state table containing the destination socket and/or the source socket. Upon having entered the state information in the table, the firewall then commonly forwards the packet to the destination. When the response comes back, the filter usually simply looks up the stored source and destination sockets in its state table, and if they match an expected response, the firewall generally passes the response packet and any further packets on. If no table entry exists, the packet is normally dropped.
Stateful packet inspection filters may be used similarly to create a state for User Datagram Protocol (UDP) datagrams.
The filter typically removes state table entries when the TCP ‘close session’ negotiation packets are routed through. Another possibility is to remove the entries based on a timer after a predefined time of inactivity. The timer is usually set to expire after a few minutes. These measures have conventionally been believed to be enough to ensure that no table “holes”, as described above, are left open for dropped connections.
Deploying a stateful firewall at the interface between the GGSN and the external networks, such as, but not limited to, the Public Internet, sometimes referred as the Gi interface, will generally prevent most of the attacks. However, such a firewall usually cannot detect or block the “over-billing attack”. Once the hacker opens the connection to the malicious server, a state is typically created in the firewall, normally at the Gi interface, allowing packets to be sent between these two nodes. When the hacker disconnects and the IP address is being assigned to a different user, IP packets from the server to that IP address will commonly still pass the firewall at the Gi interface.
It has been proposed that an additional firewall may be deployed between the GGSN and the SGSN. The proposal is usually that the checking firewall send a specific alert message to the filtering firewall in response to, for example, detection of a ‘delete PDP context’ message associated with a user equipment. Such a mechanism is generally believed to ensure that the state in the firewall at the Gi interface is deleted when the user equipment disconnects from the network and that the packets from the malicious server will therefore be dropped.
The proposed solution, however, is proprietary and typically requires the operator to have an additional hardware, for example, the checking firewall server, at every interface between the SGSN and GGSN. This checking firewall would normally only function for the purpose of detecting and/or blocking the over-billing attacks. For these reasons alone, the operators may not want to go this way, but may rather want to rely on other mechanisms.
It shall be understood that the described over-billing attack in TCP environments is just one of the possible threats. Since there are currently no mechanisms specifying how the elements of the GPRS backbone could inform the stateful firewall at the interface between the GGSN and the Internet if an IP address of a potential victim is still used by a third party, several other similar attacks are possible. As an example of the different attacks, a hacker may have set up a communication with another malicious node who would typically generate UDP traffic. The hacker would then normally disconnect from the network, but the malicious node would generally still generate UDP traffic, thus usually maintaining the states in the firewall at the Gi interface. When the IP address of the hacker is being re-assigned to a different user, this 3GPP user will commonly start receiving UDP datagrams that it has not requested but will typically have to pay for.